Commit 1ea8b211 authored by Michael Biebl's avatar Michael Biebl
Browse files

Make /run/lock tmpfs an API fs so it is available during early boot

Closes: #751392
parent 3ce3663a
...@@ -15,6 +15,8 @@ systemd (215-1) UNRELEASED; urgency=medium ...@@ -15,6 +15,8 @@ systemd (215-1) UNRELEASED; urgency=medium
the public API and not used anywhere so we don't need a soname bump. the public API and not used anywhere so we don't need a soname bump.
* Cherry-pick upstream commit to not install busname units if kdbus support * Cherry-pick upstream commit to not install busname units if kdbus support
is disabled. is disabled.
* Make /run/lock tmpfs an API fs so it is available during early boot.
(Closes: #751392)
-- Michael Biebl <biebl@debian.org> Tue, 26 Aug 2014 12:09:10 +0200 -- Michael Biebl <biebl@debian.org> Tue, 26 Aug 2014 12:09:10 +0200
......
From: Michael Biebl <biebl@debian.org>
Date: Fri, 5 Sep 2014 01:15:16 +0200
Subject: Make /run/lock tmpfs an API fs
The /run/lock directory is world-writable in Debian due to historic
reasons. To avoid user processes filling up /run, we mount a separate
tmpfs for /run/lock. As this directory needs to be available during
early boot, we make it an API fs.
Closes: #751392
---
src/core/mount-setup.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/core/mount-setup.c b/src/core/mount-setup.c
index 206f89a..e713338 100644
--- a/src/core/mount-setup.c
+++ b/src/core/mount-setup.c
@@ -91,6 +91,8 @@ static const MountPoint mount_table[] = {
#endif
{ "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
NULL, MNT_FATAL|MNT_IN_CONTAINER },
+ { "tmpfs", "/run/lock", "tmpfs", "mode=1777,size=5242880", MS_NOSUID|MS_NODEV|MS_NOEXEC,
+ NULL, MNT_FATAL|MNT_IN_CONTAINER },
{ "tmpfs", "/sys/fs/cgroup", "tmpfs", "mode=755", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME,
NULL, MNT_FATAL|MNT_IN_CONTAINER },
{ "cgroup", "/sys/fs/cgroup/systemd", "cgroup", "none,name=systemd,xattr", MS_NOSUID|MS_NOEXEC|MS_NODEV,
...@@ -132,3 +132,4 @@ Do-not-order-rcS.d-services-after-local-fs.target-if.patch ...@@ -132,3 +132,4 @@ Do-not-order-rcS.d-services-after-local-fs.target-if.patch
Map-rcS.d-init-script-dependencies-to-their-systemd-.patch Map-rcS.d-init-script-dependencies-to-their-systemd-.patch
Make-emergency.service-conflict-with-rescue.service.patch Make-emergency.service-conflict-with-rescue.service.patch
Stop-syslog.socket-when-entering-emergency-mode.patch Stop-syslog.socket-when-entering-emergency-mode.patch
Make-run-lock-tmpfs-an-API-fs.patch
...@@ -172,7 +172,6 @@ override_dh_install: ...@@ -172,7 +172,6 @@ override_dh_install:
install --mode=644 debian/tmpfiles.d/debian.conf \ install --mode=644 debian/tmpfiles.d/debian.conf \
debian/systemd/usr/lib/tmpfiles.d/ debian/systemd/usr/lib/tmpfiles.d/
install --mode=644 debian/debian-fixup.service debian/ifup@.service \ install --mode=644 debian/debian-fixup.service debian/ifup@.service \
debian/units/run-lock.mount \
debian/systemd/lib/systemd/system/ debian/systemd/lib/systemd/system/
install --mode=644 debian/extra/udev-finish.service \ install --mode=644 debian/extra/udev-finish.service \
debian/udev/lib/systemd/system/ debian/udev/lib/systemd/system/
......
...@@ -81,9 +81,5 @@ ...@@ -81,9 +81,5 @@
# Compat symlink # Compat symlink
/lib/systemd/systemd /bin/systemd /lib/systemd/systemd /bin/systemd
# Mount separate tmpfs file system for /run/lock because in Debian this
# directory is writable by everyone
/lib/systemd/system/run-lock.mount /lib/systemd/system/local-fs.target.wants/run-lock.mount
# Create a compat symlink as systemd-sysctl no longer reads /etc/sysctl.conf # Create a compat symlink as systemd-sysctl no longer reads /etc/sysctl.conf
/etc/sysctl.conf /etc/sysctl.d/99-sysctl.conf /etc/sysctl.conf /etc/sysctl.d/99-sysctl.conf
[Unit]
Description=Lock Directory
Before=local-fs.target
[Mount]
What=tmpfs
Where=/run/lock
Type=tmpfs
Options=nodev,noexec,nosuid,size=5242880
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment